Not saying that it's being done correctly here, but most likely doing some form of it. The backend server should "sanitize" any user input before storing it. The reason for this is there is a common exploit, Cross Site Scripting (XSS), where a vulnerable system will store executable code based on user input. So for example, if you have a freeform field (could be any kind of field, eg. first name), and there is no sanitizing on the backend, the user could input executable code (really a script). Then when someone else opened that page that contained that field, the code would execute with that users permissions. So, in this case if someone put malicious code in the for sale section, and an admin or mod brought it up in their browser, then the code would execute with the admin's or mod's permission level. For example you could create code to delete the whole forum, add another "admin" user, etc.... Not sure that's (sanitizing) what's happening here, but sounds like it.
EDIT: There other exploits that also need to be sanitized for using the same backend method, for example SQL injection.